Do you know what it means to be HIPAA compliant?

Be careful what you post on your website, you could be charged for false advertising! Some HIPAA compliance companies want you to use their “seal” of compliance. It is great advertising for them, but does it put your practice at risk of an audit? Some say yes, and worse, you could be charged for false advertising from the FTC.

https://www.ftc.gov/news-events/press-releases/2021/02/ftc-gives-final-approval-settlement-emergency-travel-services

https://www.ftc.gov/system/files/documents/cases/c-4732_skymed_final_order.pdf

HIPAA is a moving target and at any given moment you could be “out of compliance” for something as simple as using a device that hasn’t been updated with latest security patch. Of course, you won’t get fined for that, UNLESS it causes a data breach. So, to advertise that your organization is “HIPAA Compliant” could put you at risk for false advertising.

It has always been all about “documentation”. The HIPAA rules clearly outline the requirements for policies, procedures, and documentation. If your organization has not been evaluating (§164.308(a)(8)) the technical and non-technical security measures you have in place on a regular basis, you are out of compliance. How do you know when to conduct these evaluations? This depends on your policies, and if you do not have a policy on this, you are out of compliance. As you can see, this can be very confusing! Did you know that 75% of the Security Rule is policies and procedures, and 25% is technical safeguards? With Public Law No: 116-321, it is all about your documentation.

If the covered entity or business associate has adequately demonstrated that it had, for not less than the previous 12 months, recognized security practices in place that may:

(1) mitigate fines under section 1176 of the Social

        Security Act (as amended by section 13410);

(2) result in the early, favorable termination of an audit

        under section 13411; and

(3) mitigate the remedies that would otherwise be agreed

        to in any agreement with respect to resolving potential

        violations of the HIPAA Security rule (part 160 of title 45 Code

        of Federal Regulations and subparts A and C of part 164 of such

        title) between the covered entity or business associate and the

        Department of Health and Human Services.

Recognized security practices are those recommended in NIST and the Security Rule. Each organization must assess their environment and adapt “best practices”.

Most organizations think they are HIPAA compliant until they suffer a data breach, or a disgruntled employee / patient files a complaint against them. Then they are investigated by the Office for Civil Rights (OCR), unless they have proper documentation and have demonstrated best practices in data security, they may be fined up to $1.5M per violation.

This healthcare cybersecurity handout was created by the DHHS:

https://www.phe.gov/Preparedness/planning/405d/Documents/HICP-Main-508.pdf

To find out more about how our online HIPAA Keeper™ can help your organization with HIPAA Compliance click here:

https://arismedicalsolutions.com/aris-hipaa-compliance-system-for-medical-offices/

Or to schedule a demo click the contact us tab and scroll down.

“Simplifying HIPAA through Automation, Education, and Support”

Cyber Alert: Ransomware Activity Targeting the Healthcare and Public Health Sector

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the U.S. Department of Health and Human Services (HHS) have credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.

CISA, FBI, and HHS have released AA20-302A Ransomware Activity Targeting the Healthcare and Public Health Sector that details both the threat and practices that healthcare organizations should continuously engage in to help manage the risk posed by ransomware and other cyber threats. The advisory references the joint CISA MS-ISAC Ransomware Guide that provides a ransomware response checklist that can serve as a ransomware-specific addendum to organization cyber incident response plans.

In addition to these materials regarding the most recent ransomware threat to the Healthcare and Public Health Sector, the HHS Office for Civil Rights’ Fact Sheet: Ransomware and HIPAA provides further information for entities regulated by the HIPAA Rules.

CISA, FBI, and HHS are sharing this information in order to provide a warning to healthcare providers to ensure that they take timely and reasonable precautions to protect their networks from these threats. CISA encourages users and administrators to review CISA’s Ransomware webpage for additional information.

©2024 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC